Online life

My eBay and PayPal accounts were hacked – and I found the thief

Today, while chatting with a co-worker, I received a PayPal notification on my cell confirming my eBay purchase of $586.00.

paypal-ebay-account-hacked
Excellent!

I love when my purchases are approved. My PayPal account sees more action than nearly any other app on my phone. But I only like hearing from PayPal when I’m buying things.

I did not buy anything on eBay today. I have not bought anything on eBay in years. Once Amazon Prime wooed me into membership, I forgot eBay existed – which is part of the problem.

Immediate response

My eBay is connected to my PayPal, which was connected directly to my checking account. Panic commences. My first steps were to:

  1. Stare at my PayPal app.
  2. Self doubt – “Did I buy a Ford 6.0L Powerstroke Victor Reinz Head Gasket & Head Studs?” No. What is that? Also, I drive a Nissan.
  3. Look for a cancel or dispute button. Find nothing.
  4. Login to bank account. There is no pending purchase… yet.
  5. Login to eBay on my computer.
  6. Request a cancel order.
  7. Cancel order three more times.
  8. Call PayPal.

PayPal’s response

While waiting on the phone for a human being after spending ~5 minutes explaining the issue to a lady robot, I changed my eBay password. Hopefully the criminal couldn’t make any more purchases there for now.

The PayPal representative was very nice and helpful. First, he froze my account and reset my password. Now both eBay and PayPal were protected. I explained the situation and he immediately refunded my account. He also verified all my information and notified me that there was a new address in my settings – a Trenton, NJ address.

He explained the order had already gone through and the money was going to leave my bank account, but I could transfer the refund to my bank now to break even. I thanked him and we hung up. It was really easy, and that is really rare. Many hacked accounts are hard to reclaim.

How my account was compromised

Firstly, the person in Trenton who ordered the head gasket is 100% not a hacker. eBay was hacked in 2014 and the site requested all users change their passwords. I did not, because I forgot eBay existed.

There is a black market for selling website credentials. When a site like LinkedIn or eBay is hacked, the hackers can collect thousands (if not millions) of usernames and passwords which they then sell. They can sell 100 usernames to one person, and 5,000 to another depending on what the buyer can afford. With this list in hand, the thief will try each password and username they purchased until finding the ones that work. Reply All has a very interesting podcast about buying and selling passwords.

In my case, I had the same password for eBay and PayPal. I can’t be sure which account they got to first, but with that password they were able to access several websites. In using the same password I had set myself up for fraud.

Finding the thief

The thief had changed my primary shipping account to their house. It was a Trenton, NJ address. So I began:

  • Google map the house. It looks scary and it’s in a bad neighborhood.
  • Zillow the house. I can see it hasn’t been sold or bought recently. I look at the estimated worth, property taxes, etc. I am trying to get a feel for the people who live here, and more importantly I’m trying to decide if I think the house is being rented or not.
  • Google the address for public records of people who have lived there.

At this point, I find 4 names of people who live or have lived in this location. The first two are men over 60 years old. They don’t have Facebook or any online presence that I can find, so I set their names aside.

The third name belongs to a middle-aged woman called Brenda. Brenda has a Facebook, and she still lives in Trenton. Most coincidentally  – she is friends with the fourth person on my list – a late twenty-something woman named Felisha. Felisha lives in Trenton currently.

I deduce, and you may disagree with my reasoning, that Brenda and Felisha live together. Public records show they both have lived at the address and they are friends on Facebook. Neither Brenda nor Felisha are friends with the older gentlemen listed as previous residents, and I determine the men are less likely to be involved.

Felisha lives in Trenton. Her pictures are of a late twenty-something, heavy set woman with a constant mean mug. She wears all male clothing and portrays herself as very tough. If I have to guess between Brenda (her mother perhaps) or Felisha, I am assuming Felisha is the thief. Am I wrong? Maybe. It’s definitely not enough evidence to call the police. I could send Felisha a Facebook message, but I’m not a journalist and I don’t want this to get weird.

Perhaps Felisha’s friend is the thief, using Felisha’s address to throw us all off. I don’t know, and I’m not going to follow up with it because…

Final justice

Two hours after the ordeal began, I received confirmation from eBay that the order was cancelled. Not only did I get my money back, but Felisha is not getting free head gaskets and the seller isn’t out almost $600. There is justice in this world.

What you need to do

Have you been hacked?

https://haveibeenpwned.com/ is a website that tracks if you have any accounts on websites that have been hacked and had user info stolen. It is a safe and reputable website, and it’s scary.

Enter your username that you use on most sites, or simply enter your email address. It will tell you what websites you are a part of that have been hacked. If you’re in the database, change your passwords.

Have several different passwords

I changed every password today on every site. PayPal, eBay, email accounts, all banking and credit cards, Facebook… you name it. You need to create a system of passwords. At least 1 password for email, 1 password for social, 1 password for banking, etc.

If a thief does get your password, they will try it on a ton of websites. Don’t let them get too far.

Enable two-factor authentication (2FA)

2FA is a system on Gmail and other platforms that will send a code to your phone or alert you in another way if your account is accessed from a new computer or device, or if your password is changed. The thief will enter your password, and then find a screen that reads “We have texted you a code to your cell phone. Please enter the code to proceed”.

Unless they also have your phone, or whatever second method of confirmation you create, the thief will likely be locked out.

If PayPal had texted me when my account was first accessed from an unknown device, all of this could have been stopped in advance. Enable 2FA on every account you can.

Enable app notifications on your phone

Allow any app that deals with your email or banking information to send you push notifications on your activity. When you buy something on Amazon Prime, get a text about it. It was the text that alerted me to the fraud and allowed me to stop it immediately. Otherwise, I may not have gotten my money back, and Felisha could have charged even more to my account.

9 thoughts on “My eBay and PayPal accounts were hacked – and I found the thief

  1. Thanks for sharing your story. Ebay just had me to change my password because they saw fraudulent activity on my account. And two factor authorization is hard for me because I don’t have a cell phone signal at my house. I rarely use Ebay anymore either.

    1. Perhaps disconnect your credit or banking information from eBay if you don’t use it too often. That’s too bad that 2FA isn’t an option for you, but if you change your passwords so that you aren’t using the same for eBay and PayPal, you have a good chance at protecting yourself!

    2. My account is currently hacked right now. I use it to sell on but since they’re becoming irrelevant as a marketplace let alone a business, they produce so little sell thru that shutting it down hardly makes a difference to income. But if you catch it right away, first you go here: https://signinalert.ebay.com/sgninalrt/sessions and see if there are any sessions that are logged into ebay that you don’t recognize. Then log everyone out with the button they provide. Then you can change your password, immediately turn on 2 FA (They’ll send you a text every time you have to enter your password) or create a security question only you would know that would not show up on public record.

      THEN go to “help and contact” and navigate to Security and pick “Someone else used my account” Explain everything to the rep, THEN ask them to put a block on the accounts ability to buy and sell. Then you just monitor the account randomly for however long you want it to remain dormant by using the above link that shows the connected sessions. If you forget to monitor it’s ok because your cell phone will still send a text if someone successfully logs in (Provided you are able to use 2FA). You call ebay and ask them to remove the block from buying and selling when you think it’s clear. If you don’t use the account anyway and you leave it dormant for a long period of time with the selling/buying turned off at the admin level, even if a hacker got access, they couldn’t use the account for anything and they’ll toss it as useless.

      I’m in the process of waiting out the hacker, they’ve still gotten access even with 2FA enabled, so my only real form of protection that I can make use of is to turn off the selling/buying abilities on the account making it completely useless even if the hacker gets into it. I have no idea how they’re changing the password with 2FA enabled. If I have to change my number too, this will be too much of a pain in the ass for a site that produces almost nothing monetarily.

      1. What a hassle! I’m sorry you’re going through this – even with 2FA enabled! I totally agree, it’s not worth it to use ebay much anymore I can imagine.

        Thanks for the insights! Good luck.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s